* [Buildroot] [PATCH] package/syslog-ng: Ignore CVE-2008-5110
@ 2020-10-21 7:44 Chris Packham
2020-10-22 13:43 ` Thomas Petazzoni
0 siblings, 1 reply; 5+ messages in thread
From: Chris Packham @ 2020-10-21 7:44 UTC (permalink / raw)
To: buildroot
This as fixed in syslog-ng 2.0.10 but the NVD database hasn't been
updated.
Signed-off-by: Chris Packham <judge.packham@gmail.com>
---
package/syslog-ng/syslog-ng.mk | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/package/syslog-ng/syslog-ng.mk b/package/syslog-ng/syslog-ng.mk
index 7c2368efba..8587da746a 100644
--- a/package/syslog-ng/syslog-ng.mk
+++ b/package/syslog-ng/syslog-ng.mk
@@ -17,6 +17,10 @@ SYSLOG_NG_AUTORECONF = YES
SYSLOG_NG_CONF_OPTS = --disable-manpages --localstatedir=/var/run \
--disable-java --disable-java-modules --disable-mongodb
+# CVE-2008-5110 was fixed in syslog-ng 2.0.10 but the NVD database is not
+# aware of the fix, ignore it
+SYSLOG_NG_IGNORE_CVES += CVE-2008-5110
+
ifeq ($(BR2_PACKAGE_GEOIP),y)
SYSLOG_NG_DEPENDENCIES += geoip
SYSLOG_NG_CONF_OPTS += --enable-geoip
--
2.28.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] package/syslog-ng: Ignore CVE-2008-5110
2020-10-21 7:44 [Buildroot] [PATCH] package/syslog-ng: Ignore CVE-2008-5110 Chris Packham
@ 2020-10-22 13:43 ` Thomas Petazzoni
2020-11-02 6:54 ` Chris Packham
0 siblings, 1 reply; 5+ messages in thread
From: Thomas Petazzoni @ 2020-10-22 13:43 UTC (permalink / raw)
To: buildroot
Hello Chris,
On Wed, 21 Oct 2020 20:44:24 +1300
Chris Packham <judge.packham@gmail.com> wrote:
> This as fixed in syslog-ng 2.0.10 but the NVD database hasn't been
> updated.
>
> Signed-off-by: Chris Packham <judge.packham@gmail.com>
> ---
> package/syslog-ng/syslog-ng.mk | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/package/syslog-ng/syslog-ng.mk b/package/syslog-ng/syslog-ng.mk
> index 7c2368efba..8587da746a 100644
> --- a/package/syslog-ng/syslog-ng.mk
> +++ b/package/syslog-ng/syslog-ng.mk
> @@ -17,6 +17,10 @@ SYSLOG_NG_AUTORECONF = YES
> SYSLOG_NG_CONF_OPTS = --disable-manpages --localstatedir=/var/run \
> --disable-java --disable-java-modules --disable-mongodb
>
> +# CVE-2008-5110 was fixed in syslog-ng 2.0.10 but the NVD database is not
> +# aware of the fix, ignore it
> +SYSLOG_NG_IGNORE_CVES += CVE-2008-5110
But as proposed over e-mail separately, the proper fix is to modify the
NVD database. Have you had the chance to report the issue to the NVD
database maintainers ?
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] package/syslog-ng: Ignore CVE-2008-5110
2020-10-22 13:43 ` Thomas Petazzoni
@ 2020-11-02 6:54 ` Chris Packham
2020-11-11 7:22 ` Chris Packham
0 siblings, 1 reply; 5+ messages in thread
From: Chris Packham @ 2020-11-02 6:54 UTC (permalink / raw)
To: buildroot
Hi Thomas,
On Fri, Oct 23, 2020 at 2:43 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello Chris,
>
> On Wed, 21 Oct 2020 20:44:24 +1300
> Chris Packham <judge.packham@gmail.com> wrote:
>
> > This as fixed in syslog-ng 2.0.10 but the NVD database hasn't been
> > updated.
> >
> > Signed-off-by: Chris Packham <judge.packham@gmail.com>
> > ---
> > package/syslog-ng/syslog-ng.mk | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/package/syslog-ng/syslog-ng.mk b/package/syslog-ng/syslog-ng.mk
> > index 7c2368efba..8587da746a 100644
> > --- a/package/syslog-ng/syslog-ng.mk
> > +++ b/package/syslog-ng/syslog-ng.mk
> > @@ -17,6 +17,10 @@ SYSLOG_NG_AUTORECONF = YES
> > SYSLOG_NG_CONF_OPTS = --disable-manpages --localstatedir=/var/run \
> > --disable-java --disable-java-modules --disable-mongodb
> >
> > +# CVE-2008-5110 was fixed in syslog-ng 2.0.10 but the NVD database is not
> > +# aware of the fix, ignore it
> > +SYSLOG_NG_IGNORE_CVES += CVE-2008-5110
>
> But as proposed over e-mail separately, the proper fix is to modify the
> NVD database. Have you had the chance to report the issue to the NVD
> database maintainers ?
>
Sorry for taking so long to get back. I have reported the issue.
Apparently I should be getting an email with a ticket number but no
sign of it yet.
> Thanks!
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] package/syslog-ng: Ignore CVE-2008-5110
2020-11-02 6:54 ` Chris Packham
@ 2020-11-11 7:22 ` Chris Packham
2020-11-14 4:17 ` Chris Packham
0 siblings, 1 reply; 5+ messages in thread
From: Chris Packham @ 2020-11-11 7:22 UTC (permalink / raw)
To: buildroot
On Mon, Nov 2, 2020 at 7:54 PM Chris Packham <judge.packham@gmail.com> wrote:
>
> Hi Thomas,
>
> On Fri, Oct 23, 2020 at 2:43 AM Thomas Petazzoni
> <thomas.petazzoni@bootlin.com> wrote:
> >
> > Hello Chris,
> >
> > On Wed, 21 Oct 2020 20:44:24 +1300
> > Chris Packham <judge.packham@gmail.com> wrote:
> >
> > > This as fixed in syslog-ng 2.0.10 but the NVD database hasn't been
> > > updated.
> > >
> > > Signed-off-by: Chris Packham <judge.packham@gmail.com>
> > > ---
> > > package/syslog-ng/syslog-ng.mk | 4 ++++
> > > 1 file changed, 4 insertions(+)
> > >
> > > diff --git a/package/syslog-ng/syslog-ng.mk b/package/syslog-ng/syslog-ng.mk
> > > index 7c2368efba..8587da746a 100644
> > > --- a/package/syslog-ng/syslog-ng.mk
> > > +++ b/package/syslog-ng/syslog-ng.mk
> > > @@ -17,6 +17,10 @@ SYSLOG_NG_AUTORECONF = YES
> > > SYSLOG_NG_CONF_OPTS = --disable-manpages --localstatedir=/var/run \
> > > --disable-java --disable-java-modules --disable-mongodb
> > >
> > > +# CVE-2008-5110 was fixed in syslog-ng 2.0.10 but the NVD database is not
> > > +# aware of the fix, ignore it
> > > +SYSLOG_NG_IGNORE_CVES += CVE-2008-5110
> >
> > But as proposed over e-mail separately, the proper fix is to modify the
> > NVD database. Have you had the chance to report the issue to the NVD
> > database maintainers ?
> >
>
> Sorry for taking so long to get back. I have reported the issue.
> Apparently I should be getting an email with a ticket number but no
> sign of it yet.
>
They've bumped me on to secalert at redhat.com so we'll see ow that goes.
> > Thanks!
> >
> > Thomas
> > --
> > Thomas Petazzoni, CTO, Bootlin
> > Embedded Linux and Kernel engineering
> > https://bootlin.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] package/syslog-ng: Ignore CVE-2008-5110
2020-11-11 7:22 ` Chris Packham
@ 2020-11-14 4:17 ` Chris Packham
0 siblings, 0 replies; 5+ messages in thread
From: Chris Packham @ 2020-11-14 4:17 UTC (permalink / raw)
To: buildroot
On Wed, 11 Nov 2020, 8:22 PM Chris Packham, <judge.packham@gmail.com> wrote:
> On Mon, Nov 2, 2020 at 7:54 PM Chris Packham <judge.packham@gmail.com>
> wrote:
> >
> > Hi Thomas,
> >
> > On Fri, Oct 23, 2020 at 2:43 AM Thomas Petazzoni
> > <thomas.petazzoni@bootlin.com> wrote:
> > >
> > > Hello Chris,
> > >
> > > On Wed, 21 Oct 2020 20:44:24 +1300
> > > Chris Packham <judge.packham@gmail.com> wrote:
> > >
> > > > This as fixed in syslog-ng 2.0.10 but the NVD database hasn't been
> > > > updated.
> > > >
> > > > Signed-off-by: Chris Packham <judge.packham@gmail.com>
> > > > ---
> > > > package/syslog-ng/syslog-ng.mk | 4 ++++
> > > > 1 file changed, 4 insertions(+)
> > > >
> > > > diff --git a/package/syslog-ng/syslog-ng.mk b/package/syslog-ng/
> syslog-ng.mk
> > > > index 7c2368efba..8587da746a 100644
> > > > --- a/package/syslog-ng/syslog-ng.mk
> > > > +++ b/package/syslog-ng/syslog-ng.mk
> > > > @@ -17,6 +17,10 @@ SYSLOG_NG_AUTORECONF = YES
> > > > SYSLOG_NG_CONF_OPTS = --disable-manpages --localstatedir=/var/run \
> > > > --disable-java --disable-java-modules --disable-mongodb
> > > >
> > > > +# CVE-2008-5110 was fixed in syslog-ng 2.0.10 but the NVD database
> is not
> > > > +# aware of the fix, ignore it
> > > > +SYSLOG_NG_IGNORE_CVES += CVE-2008-5110
> > >
> > > But as proposed over e-mail separately, the proper fix is to modify the
> > > NVD database. Have you had the chance to report the issue to the NVD
> > > database maintainers ?
> > >
> >
> > Sorry for taking so long to get back. I have reported the issue.
> > Apparently I should be getting an email with a ticket number but no
> > sign of it yet.
> >
>
> They've bumped me on to secalert at redhat.com so we'll see how that goes.
>
Looks like the text has been updated to say that the vulnerability affects
versions up to 2.0.9 but the cpe info hasn't been updated yet.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20201114/4901126c/attachment.html>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-11-14 4:17 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-21 7:44 [Buildroot] [PATCH] package/syslog-ng: Ignore CVE-2008-5110 Chris Packham
2020-10-22 13:43 ` Thomas Petazzoni
2020-11-02 6:54 ` Chris Packham
2020-11-11 7:22 ` Chris Packham
2020-11-14 4:17 ` Chris Packham
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.